From 6176d009ee6594d912f46846ee7333c091ceeb17 Mon Sep 17 00:00:00 2001
From: Philip Jenvey <pjenvey@underboss.org>
Date: Sun, 24 Apr 2011 23:43:55 -0700
Subject: resistance is futile, assimilating (not built by aliens)

---
 CONTRIBUTORS.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
index 5a72f242e..75f9e9166 100644
--- a/CONTRIBUTORS.txt
+++ b/CONTRIBUTORS.txt
@@ -135,3 +135,4 @@ Contributors
 
 - Juliusz Gonera, 2011/04/17
 
+- Philip Jenvey, 2011/04/24
-- 
cgit v1.2.3


From a5702cd86382603cc1a3071bc16b9b493e21ebeb Mon Sep 17 00:00:00 2001
From: Philip Jenvey <pjenvey@underboss.org>
Date: Sun, 24 Apr 2011 23:45:14 -0700
Subject: refactor

---
 pyramid/session.py | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index 4e63ef460..c284ce91b 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -18,6 +18,7 @@ import os
 
 from zope.interface import implements
 
+from pyramid.compat import any
 from pyramid.interfaces import ISession
 
 def manage_accessed(wrapped):
@@ -282,12 +283,7 @@ def signed_deserialize(serialized, secret, hmac=hmac):
     if len(sig) != len(input_sig):
         raise ValueError('Wrong signature length')
 
-    invalid_bits = 0
-
-    for a, b in zip(sig, input_sig):
-        invalid_bits += a != b
-
-    if invalid_bits:
+    if any(a != b for a, b in zip(sig, input_sig)):
         raise ValueError('Invalid bits in signature')
 
     return pickle.loads(pickled)
-- 
cgit v1.2.3


From bf6be9eae4d0be7789effd36875148b6319d77e1 Mon Sep 17 00:00:00 2001
From: Philip Jenvey <pjenvey@underboss.org>
Date: Mon, 25 Apr 2011 01:04:17 -0700
Subject: revert a5702cd8: oops, it undoes timing attack protection

---
 pyramid/session.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index c284ce91b..5772c80d0 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -18,7 +18,6 @@ import os
 
 from zope.interface import implements
 
-from pyramid.compat import any
 from pyramid.interfaces import ISession
 
 def manage_accessed(wrapped):
@@ -277,13 +276,16 @@ def signed_deserialize(serialized, secret, hmac=hmac):
 
     sig = hmac.new(secret, pickled, sha1).hexdigest()
 
-    # Avoid timing attacks (see
-    # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
-
     if len(sig) != len(input_sig):
         raise ValueError('Wrong signature length')
 
-    if any(a != b for a, b in zip(sig, input_sig)):
+    # Avoid timing attacks (see
+    # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
+    invalid_bits = 0
+    for a, b in zip(sig, input_sig):
+        invalid_bits += a != b
+
+    if invalid_bits:
         raise ValueError('Invalid bits in signature')
 
     return pickle.loads(pickled)
-- 
cgit v1.2.3